The information in this document is based on these software and hardware versions:

Aironet Cisco Aironet 1240 / 1140 Series Access Points

ACS that runs software version 4.1

ACS that runs software version 5.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

This section explains how to configure the Aironet AP and the TACACS+ server (ACS) for TACACS+-based login authentication.

This configuration example uses these parameters:

IP address of the ACS—172.16.1.1/255.255.0.0

IP address of the AP—172.16.1.30/255.255.0.0

Shared secret key that is used on the AP and the TACACS+ server—Example

These are the credentials of the user that this example configures on the ACS:

Username—User1

Password—Cisco

Group—AdminUsers

You need to configure TACACS+ features to validate the users who try to connect to the AP either through the web interface or through the command-line interface (CLI). In order to accomplish this configuration, you must perform these tasks:

The first step is to set up a TACACS+ daemon to validate the users who try to access the AP. You must set up the ACS for TACACS+ authentication and create a user database. You can use any TACACS+ server. This example uses the ACS as the TACACS+ server. Complete these steps:

Complete these steps in order to add the AP as an authentication, authorization, and accounting (AAA) client:

From the ACS GUI, click the Network Configuration tab.

Under AAA Clients, click Add Entry.

In the Add AAA Client window, enter the AP host name, the IP address of the AP, and a shared secret key.

This shared secret key must be the same as the shared secret key that you configure on the AP.

From the Authenticate Using drop-down menu, select TACACS+ (Cisco IOS).

Click Submit + Restart in order to save the configuration.

Here is an example:

This example uses:

The AAA Client Hostname AccessPoint

The address 172.16.1.30/16 as the AAA Client IP Address

The shared secret key Example

Complete these steps in order to create a group that contains all the administrative (admin) users:

Click Group Setup from the menu on the left.

A new window appears.

In the Group Setup window, select a group to configure from the drop-down menu and click Rename Group.

This example selects Group 6 from the drop-down menu and renames the group AdminUsers.

Click Submit.

Here is an example:

Complete these steps in order to add the users to the TACACS+ database:

Click the User Setup tab.

In order to create a new user, enter the username in the User field and click Add/Edit.

Here is an example, which creates User1:

After you click Add/Edit, the Add/Edit window for this user appears.

Enter credentials that are specific to this user and click Submit in order to save the configuration.

The credentials that you can enter include:

Supplementary user information

User setup

The group to which the user is assigned

Here is an example:

You can see that this example adds the user User1 to the group AdminUsers.

Note: If you do not create a specific group, the users are assigned to the default group.

Complete these steps in order to define the privilege level:

Click the Group Setup tab.

Select the group that you previously assigned to this user and click Edit Settings.

This example uses the group AdminUsers.

Under TACACS+ Settings, check the Shell (exec) check box and check the Privilege level check box that has a value of 15.

Click Submit + Restart.

Note: Privilege level 15 must be defined for the GUI and Telnet in order to be accessible as level 15. Otherwise, by default, the user can only access as level 1. If the privilege level is not defined and the user tries to enter enable mode on the CLI (with use of Telnet), the AP displays this error message:

AccessPoint>enable% Error in authentication

Repeat steps 2 through 4 of this procedure if you want to add more users to the TACACS+ database. After you have completed these steps, the TACACS+ server is ready to validate users who try to log in to the AP. Now, you must configure the AP for TACACS+ authentication.

Note: You must have Cisco IOS Software Release 12.3(7)JA or later in order for all the commands in this configuration to work properly. An earlier Cisco IOS Software release might not have all these commands available.

In order to verify the configuration, try to log in to the AP with use of the GUI or the CLI. When you try to access the AP, the AP prompts you for a username and password.

When you provide the user credentials, the AP forwards the credentials to the TACACS+ server. The TACACS+ server validates the credentials on the basis of the information that is available in its database and provides access to the AP upon successful authentication. You can choose Reports and Activity > Passed Authentication on the ACS and use the Passed Authentication report in order to check for successful authentication for this user. Here is an example:

You can also use the show tacacs command in order to verify the correct configuration of the TACACS+ server. Here is an example:

You can choose Reports and Activity > Failed Authentication in order to see the failed authentication attempt on the ACS. Here is an example:

If you use a Cisco IOS Software release on the AP that is earlier than Cisco IOS Software Release 12.3(7)JA, you may hit a bug every time that you try to log in to the AP with use of HTTP. Cisco bug ID is CSCeb52431 (registered customers only) .

The Cisco IOS Software HTTP/AAA implementation requires the independent authentication of each separate HTTP connection. The wireless Cisco IOS Software GUI involves the reference of many dozens of separate files within a single web page (for example Javascript and GIF). So if you load a single page in the wireless Cisco IOS Software GUI, dozens and dozens of separate authentication/authorization requests can hit the AAA server.

For HTTP authentication, use RADIUS or local authentication. The RADIUS server is still subjected to the multiple authentication requests. But RADIUS is more scalable than TACACS+, and so it is likely to provide a less-adverse performance impact.

If you must use TACACS+ and you have a Cisco ACS, use the single-connection keyword with the tacacs-server command. Use of this keyword with the command spares the ACS most of the TCP connection setup/teardown overhead and is likely to reduce the load on the server to a certain extent.

For Cisco IOS Software Releases 12.3(7) JA and later on the AP, the software includes a fix. The remainder of this section describes the fix.

Use the AAA authentication cache feature in order to cache the information that the TACACS+ server returns. The authentication cache and profile feature allows the AP to cache the authentication/authorization responses for a user so that subsequent authentication/authorization requests do not need to be sent to the AAA server. In order to enable this feature with the CLI, use these commands:

In order to enable this feature on the GUI, choose Security > Admin Access and check the Enable Authentication Server Caching check box. Because this document uses Cisco IOS Software Release 12.3(7)JA, the document uses the fix, as the configurations illustrate.